b"September 3, 2004\nReport No. 04-032\n\n\n\nStrategies for Enhancing Corporate\nGovernance\n\n\n\n\n            AUDIT REPORT\n\x0c                                                    TABLE OF CONTENTS\n\n\nBACKGROUND ............................................................................................................................1\n\nGOVERNANCE DEFINED..........................................................................................................2\n\nCORPORATE GOVERNANCE COMPONENTS AT THE FDIC ..............................................4\n\nSTRATEGIES FOR ENHANCING THE CORPORATE GOVERNANCE\nFRAMEWORK......................................................................................................................................5\n    Audit Committee Overview ................................................................................................5\n    Audit Committee Best Practices .........................................................................................7\n    Overview of Enterprise Risk Management .....................................................................10\n    Determining an ERM Framework ...................................................................................11\n    Lessons Learned From Others in Developing an ERM Framework ............................14\n    A Model ERM Framework ...............................................................................................17\n    Assessing the Current State of Internal Control.............................................................20\n\nSUMMARY ..................................................................................................................................21\n\nCORPORATION COMMENTS ................................................................................................21\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY ......................................22\nAPPENDIX II: AUDIT COMMITTEE SELF-EVALUATION TOOL..............................23\nAPPENDIX III: EXCERPT FROM COSO EXPOSURE DRAFT:\n              ENTERPRISE RISK MANAGEMENT FRAMEWORK..............................27\n\nTABLES:\n\n          Table 1: National Association of Corporate Directors\xe2\x80\x99 Core Recommendations\n                   for Governance Practices ...................................................................................3\n          Table 2: Main Areas of Audit Committee Responsibility ..............................................6\n          Table 3: Audit Committee Best Practices........................................................................7\n          Table 4: Insurance Companies That Implemented ERM ............................................10\n          Table 5: Traditional Risk Management in Comparison to ERM................................11\n          Table 6: Examples of Risk Infrastructures ...................................................................13\n          Table 7: Steps for Integrating ERM...............................................................................16\n\x0c\x0cAlso, as a result of the Sarbanes-Oxley Act, management now must evaluate its internal\ncontrol structure over financial reporting and report on its effectiveness. In addition, auditors\nmust attest to management\xe2\x80\x99s assertion regarding the effectiveness of those controls. Certain\nfinancial institutions have been required to meet similar but not identical requirements\nenacted by the Federal Deposit Insurance Corporation Improvement Act of 1991.2\n\nThe Federal Deposit Insurance Corporation (FDIC) currently has structures in place or in\ndevelopment that address these emerging business practices. This report provides\ninformation on audit committee best practices, ERM, and internal control over financial\nreporting that can be useful in further enhancing the FDIC\xe2\x80\x99s governance structure. The FDIC\nOffice of Inspector General (OIG) actively supports a sound governance structure.\n\nGOVERNANCE DEFINED\n\nGovernance can be defined as the processes for managing an organization\xe2\x80\x99s affairs or for\nensuring accountability. Governance can include various activities such as setting business\nstrategies and objectives, determining risk appetite, establishing culture and values,\ndeveloping internal policies, and monitoring performance.3\n\nA board of directors and internal and external auditors play a key role in corporate\ngovernance. The board reviews the development and execution of business strategies.\nAuditors may identify risks and controls and confirm adherence to policies. According to\nErnst & Young, 4 some key components of effective corporate governance include the\nfollowing:\n\n    \xe2\x80\xa2    An instrumental executive management team.\n    \xe2\x80\xa2    An effective, independent board.\n    \xe2\x80\xa2    A sound culture that allows the principles of good governance to thrive.\n    \xe2\x80\xa2    A proactive audit committee.\n    \xe2\x80\xa2    A compensation committee aligning executive compensation to shareholder value.\n    \xe2\x80\xa2    A nominating committee ensuring effective governance of the board.\n    \xe2\x80\xa2    A sound internal control framework.\n    \xe2\x80\xa2    A relevant code of ethical behavior.\n    \xe2\x80\xa2    Clear, enforced policies and procedures.\n    \xe2\x80\xa2    Effective management of risk.\n    \xe2\x80\xa2    An objective, well-resourced internal audit function.\n    \xe2\x80\xa2    Independent, effective external audit.\n    \xe2\x80\xa2    Transparent disclosure, effective communication, and systems that ensure effective\n         measurement and accountability.\n\n\n\n2\n  Pub. L. No. 102-242.\n3\n  Integrity-Driven Performance, A New Strategy for Success Through Integrated Governance, Risk and\nCompliance Management, PricewaterhouseCoopers, 2004.\n4\n  What is Corporate Governance? Corporate Governance Series, \xc2\xa9 Ernst & Young, March 2004.\n                                                    2\n\x0cAlso, in the aftermath of major corporate failures such as Enron, the National Association of\nCorporate Directors5 developed recommendations for practices in corporate governance.\nThose recommendations, provided below, include some of the same components as described\nabove.\n\nTable 1: National Association of Corporate Directors\xe2\x80\x99 Core Recommendations for\nGovernance Practices\n    Board of Directors should:\n\n        \xe2\x80\xa2   Be composed of a substantial majority of independent directors.\n\n        \xe2\x80\xa2   Consider designating an independent director as chairman or lead director.\n\n        \xe2\x80\xa2   Regularly evaluate the performance of the Chief Executive Officer (CEO), other\n            senior managers, the board as a whole, and individual directors.\n\n        \xe2\x80\xa2   Annually review the adequacy of their company\xe2\x80\x99s compliance and reporting systems.\n\n        \xe2\x80\xa2   Adopt a policy of holding periodic sessions of only independent directors, providing\n            board and committee members the opportunity to react to management proposals\n            and/or actions in an environment free from formal or informal constraints.\n\n        \xe2\x80\xa2   Be engaged with management on company strategies.\n\n        \xe2\x80\xa2   Have an orientation program for new directors, and ensure that directors are current\n            on company issues.\n\n    Key committees of the Board of Directors should:\n\n        \xe2\x80\xa2   Be composed entirely of independent directors, and be free to hire independent\n            advisors as necessary.\n\n        \xe2\x80\xa2   Have a board-approved written charter detailing the board\xe2\x80\x99s duties.\n    Audit committees should meet independently with both the internal and independent auditors.\n\n\nSource: Recommendations from the National Association of Corporate Directors Concerning Reforms in the\nAftermath of the Enron Bankruptcy, National Association of Corporate Directors.\n\nAlthough the FDIC is an independent agency of the federal government, many of the key\ncomponents of effective corporate governance may be used in the Corporation\xe2\x80\x99s governance\nstructure. For example, a proactive audit committee, sound internal control, an ethics\nprogram, effective risk management, and independent and objective auditors are elements\nthat are part of the existing structure.\n\n\n\n\n5\n A national nonprofit organization established to serve the corporate governance needs of individual corporate\ndirectors and boards.\n                                                      3\n\x0cCORPORATE GOVERNANCE COMPONENTS AT THE FDIC\n\nThe FDIC has similar corporate governance components as those discussed earlier. For\nexample, the FDIC has a Board of Directors (Board), which has an Audit Committee; a\nnewly established Office of Enterprise Risk Management (OERM); executive management;\nand independent auditors -- the FDIC OIG and the Government Accountability Office\n(GAO).6 The Board consists of five directors, three of which are appointed by the President\nand confirmed by the Senate. The other directors include the Comptroller of the Currency\nand the Director of the Office of Thrift Supervision (OTS).\nThe Board\xe2\x80\x99s Audit Committee monitors the FDIC\xe2\x80\x99s financial reporting responsibilities and\ninternal control programs. The committee also regularly meets with and discusses issues\nwith the OIG. The following officials compose the Audit Committee:\n\n       \xe2\x80\xa2   Vice Chairman of the Board of Directors;\n\n       \xe2\x80\xa2   Director, OTS; and\n\n       \xe2\x80\xa2   Deputy to the Chairman and Chief Financial Officer.\nOERM administers the FDIC\xe2\x80\x99s Internal Control Program (ICP), which monitors risks. The\naudit committee may direct OERM and appropriate divisions and offices to clarify or follow\nup on specific issues and conduct special projects. Additionally, OERM conducts the\nFDIC\xe2\x80\x99s program to fulfill the Chief Financial Officers Act of 19907 annual reporting\nrequirements, including reporting on the ICP.\nThe OIG is another key element in the FDIC\xe2\x80\x99s governance structure. The OIG, as an\nindependent unit, reports to the Congress and Board Chair. The OIG conducts audits and\ninvestigations of the FDIC\xe2\x80\x99s programs and operations. Also, through semiannual reports to\nthe Congress and other products, the OIG provides insights into the key FDIC management\nand performance challenges.\nAnother independent audit unit is the GAO, which reports to the Congress and primarily\naudits the financial statements of the funds administered by the FDIC. Additionally, the\nGAO attests to the effectiveness of the Corporation\xe2\x80\x99s internal control over financial reporting\nand compliance and may audit other areas of interest to Congress.\nEach of these components contributes to the governance structure of the FDIC. As concerns\nfor governance reforms have affected companies worldwide, it may be an opportune time to\nexamine some of the strategies developed to enhance existing structures and build proactive\nrisk reduction measures into business practices.\n\n\n\n\n6\n    The name of the GAO was changed, effective July 7, 2004, as a result of recent legislation.\n7\n    Pub. L. No. 101-576, codified principally to title 31, U.S.C.\n                                                           4\n\x0cSTRATEGIES FOR ENHANCING THE CORPORATE GOVERNANCE\nFRAMEWORK\n\nAudit Committee Overview\n\nAccording to the 1999 Blue Ribbon Committee on Improving the Effectiveness of Corporate\nAudit Committees,8 the role of an audit committee is one of oversight and monitoring. In its\nreport entitled, Report and Recommendations of the Blue Ribbon Committee on Improving\nthe Effectiveness of Corporate Audit Committees, the Committee stated:\n\n        \xe2\x80\xa6 in carrying out this job it acts in reliance on senior financial management and the\n        outside auditors. A proper and well-functioning system exists, therefore, when the\n        three main groups responsible for financial reporting -- the full board including the\n        audit committee, financial management including the internal auditors, and the\n        outside auditors -- form a \xe2\x80\x9cthree-legged stool\xe2\x80\x9d that supports responsible financial\n        disclosure and active and participatory oversight. However, in the view of the\n        Committee, the audit committee must be \xe2\x80\x9cfirst among equals\xe2\x80\x9d in this process, since\n        the audit committee is an extension of the full board and hence the ultimate monitor\n        of the process.\n\nThe Sarbanes-Oxley Act placed renewed emphasis on the role of the audit committee. The\nAct requires audit committees to be independent and to assume certain oversight\nresponsibilities. To meet these requirements and enhance their effectiveness, organizations\nhave developed various practices. Based on a PricewaterhouseCoopers worldwide study of\nbest practices, the main areas of audit committee responsibility include oversight of financial\nreporting, management of risks and internal control, and the work of external and internal\nauditors. Also, audit committees need to evaluate their own performance, establish effective\nworking relationships with management, and monitor compliance with regulations and\nethical issues. These areas of responsibility are illustrated in more detail in Table 2 on the\nnext page.\n\n\n\n\n8\n  The panel was established in September 1998 by the New York Stock Exchange and National Association of\nSecurities Dealers, Inc., to make recommendations on strengthening the role of audit committees in overseeing\nthe corporate financial reporting process.\n                                                      5\n\x0cTable 2: Main Areas of Audit Committee Responsibility\n\n\n\n\n    Financial                    Risk                            External audit                  Internal audit\n    reporting                    management &                    \xe2\x80\xa2 Appointment                   \xe2\x80\xa2 Charter,\n    \xe2\x80\xa2 Appropriateness            internal                        and remuneration                authority and\n    of accounting                control                         \xe2\x80\xa2 Scope of work                 resources\n    policies                     \xe2\x80\xa2 Understanding                 \xe2\x80\xa2 Independence                  \xe2\x80\xa2 Scope of work\n    \xe2\x80\xa2 Disclosure                 key risk areas                  requirements                    \xe2\x80\xa2 Internal audit\n    requirements                 \xe2\x80\xa2 Effectiveness of              \xe2\x80\xa2 Significant audit             effectiveness\n    \xe2\x80\xa2 Fairness and               controls                        findings/                       \xe2\x80\xa2 Responses to\n    balance of                   \xe2\x80\xa2 Fraud risk                    recommendations                 internal audit\n    Management                                                   \xe2\x80\xa2 Reviewing the                 recommendations\n    Discussion and                                               performance of\n    Analysis (MD&A)/                                             external auditors\n    operating review\n    \xe2\x80\xa2 Generally\n    Accepted\n    Accounting\n    Principles\n\n\n\n       Maintaining & measuring                 Communicating &                         Regulatory, compliance\n       effectiveness                           reporting                               & ethical matters\n       \xe2\x80\xa2 Training needs                        \xe2\x80\xa2 Relations with                        \xe2\x80\xa2 Effectiveness of\n       \xe2\x80\xa2 Maintaining financial                 management                              system for ensuring\n       literacy                                \xe2\x80\xa2 Updates &                             compliance with laws\n       \xe2\x80\xa2 Annual performance                    recommendations to                      and regulations\n       evaluation of audit                     the full board                          \xe2\x80\xa2 Code of conduct/ethics\n       committee                               \xe2\x80\xa2 Reports to board and                  \xe2\x80\xa2 Whistleblowing\n                                               shareholders\n\n\n\n\nSource: Audit Committees: Good Practices for Meeting Market Expectations, \xc2\xa9 PricewaterhouseCoopers,\nJuly 2003.\n\n\n\n\n                                                           6\n\x0cAudit Committee Best Practices\nSome examples of audit committee best practices to consider are provided in Table 3. These\npractices were adapted from Audit Committees: Good Practices for Meeting Market\nExpectations, \xc2\xa9 PricewaterhouseCoopers, dated July 2003.\nTable 3: Audit Committee Best Practices\n Authority\n\n Obtained board authority to perform activities within its terms of reference.\n\n Has access to members of management, employees, and relevant information, unless\n such access is restricted by law.\n\n Has authority to establish procedures to deal with concerns of employees and complaints\n received regarding accounting, internal control, and auditing matters.\n\n Membership\n\n The board periodically reviews the mix of experience and skills of committee members\n to maintain an appropriate balance.\n\n Committee members are appointed by the board or a nominating committee of the board.\n\n The size of the committee is appropriate to the organization.\n\n The experience and qualifications of committee members are compatible with the duties\n of the committee, including the ability to understand financial statements. At least one of\n the members has accounting or related financial expertise.\n\n Meetings\n\n The committee meets regularly, with special meetings called as circumstances warrant.\n (At least 3 or 4 meetings each year are desirable.)\n\n Meeting agendas and supporting papers are prepared and distributed sufficiently far\n enough in advance to enable committee members to prepare for meetings.\n\n The chairman or another member of the committee attends the board meeting at which\n the financial statements are approved.\n\n Members of the committee attend every meeting.\n\n Minutes of meetings are circulated on a timely basis to members of the board and audit\n committee (and auditors where appropriate).\n\n                                             7\n\x0cThe committee meets with in-house legal counsel on a regular basis.\n\nNew committee members are provided with sufficient background information and\ntraining to meet their responsibilities effectively.\n\nThe committee has adequate resources to discharge its responsibilities.\n\nThe Committee\xe2\x80\x99s Internal Control Responsibilities\n\nEvaluates the \xe2\x80\x9ccontrol culture\xe2\x80\x9d established by management.\n\nUnderstands the control systems implemented by management for approval of\ntransactions, recording of data, and compliance of the financial statements with relevant\nstandards and requirements.\n\nConsiders whether internal control recommendations made by auditors have been\nimplemented by management.\n\nConsiders how management has reviewed the adequacy of controls surrounding\nelectronic data processing and computer security.\n\nThe Committee\xe2\x80\x99s Financial Reporting Responsibilities\n\nReviews the areas of greatest financial risk and management\xe2\x80\x99s actions to address those\nareas.\n\nReviews significant accounting and reporting issues and understands their likely impact\non the financial statements.\n\nOversees the periodic financial reporting process and reviews the interim financial\nstatements, annual financial statements, and preliminary announcements prior to their\nrelease.\n\nMeets with management and external auditors to review the financial statements and\nresults of the audit.\n\nEnsures that significant adjustments, unadjusted differences, disagreements with\nmanagement, and critical accounting policies have been discussed with the external\nauditor.\n\nConsiders whether the narrative information included in the other sections of the annual\nreport is understandable and consistent with the information in the financial statements.\n\nReads the representation letters given by management to the external auditors and\nconsiders any specific representations therein.\n\n                                            8\n\x0c  The Committee\xe2\x80\x99s Compliance With Laws and Regulations Responsibilities\n\n  Reviews management\xe2\x80\x99s procedures for monitoring the company\xe2\x80\x99s compliance with laws\n  and regulations.\n\n  Reviews updates from management and legal counsel regarding compliance matters that\n  may affect the financial statements.\n\n  The Committee\xe2\x80\x99s Responsibilities Regarding Auditors\n\n  Discusses the auditors\xe2\x80\x99 proposed audit scope and approach.\n\n  Discusses any audit problems, including restrictions on the scope of the audit or denials\n  of access to requested information.\n\n  Reviews reports made by the auditors to management, and ensures that management\n  responds to these findings.\n\n  Meets privately with auditors on a regular basis.\n\n  Discusses the extent to which auditing and accounting firms are used, and understands\n  the rationale for their use.\n\n  The Committee\xe2\x80\x99s Reporting Responsibilities\n\n  Reports committee activities to the board regularly.\n\n  Ensures that reports on committee activities required by law have been prepared.\n\n  The Committee\xe2\x80\x99s Performance Evaluation Responsibilities\n\n  Periodically assesses the performance of individual members and of the committee as a\n  whole.\n  Assesses the achievement of the duties specified in the charter and reports to the board.\n\n  The Committee\xe2\x80\x99s Charter\n\n  Reviews the committee charter annually, and discusses any proposed changes with the\n  board.\n\n  Ensures the charter is approved/reapproved by the board.\n\nWe have organized these practices into an audit committee self-assessment tool in\nAppendix II. The tool can be modified to reflect the specific operations of the FDIC.\n\n\n                                              9\n\x0cOverview of Enterprise Risk Management\n\nAs discussed earlier, risk management and internal control are in the areas of audit\ncommittee responsibility. A practice that has emerged to identify and manage risk from a\ncorporate-wide perspective is ERM. Based on the 2002 benchmarking survey9 of ERM in\nthe insurance industry, insurance companies were implementing ERM for the reasons noted\nin Table 4.\n\n                   Table 4: Insurance Companies That Implemented ERM\n                    Reason for Implementation                   Percent of Companies\n                                                                That Responded*\n\n                    Good business practice                      88\n                    Provides coherent conceptual                52\n                    framework to coordinate risk\n                    management activity\n                    Provides competitive advantage              46\n\n                    Corporate governance guidelines             42\n\n                   Source: Tillinghast-Towers Perrin.\n                   *Eighty-two companies responded.\n\n\nEssentially, ERM differs from the traditional approach to risk management as illustrated in\nTable 5 on the next page.\n\n\n\n\n9\n The Tillinghast-Towers Perrin survey of insurance companies discussed in its report entitled, Enterprise Risk\nManagement in the Insurance Industry 2002 Benchmarking Survey Report.\n                                                        10\n\x0cTable 5: Traditional Risk Management in Comparison to ERM\nTraditional Risk Management                         ERM\n\n\n\nRisk as individual hazards                          Risk in the context of business strategy\n\nRisk identification and assessment                  Risk portfolio development\n\nFocus on discrete risks                             Focus on critical risks\n\nRisk mitigation                                     Risk optimization\n\nRisk limits                                         Risk strategy\n\nRisk with no owners                                 Defined risk responsibilities\n\nHaphazard risk quantification                       Monitoring and measuring of risks\n\n\xe2\x80\x9cRisk is not my responsibility\xe2\x80\x9d                     \xe2\x80\x9cRisk is everyone\xe2\x80\x99s responsibility\xe2\x80\x9d\nSource: Excerpt from \xe2\x80\x9cEnterprise Risk Management: What CPAs [Certified Public Accountants] Need to\nKnow About this Company-Wide Approach,\xe2\x80\x9d \xc2\xa9 Journal of Accountancy, June 2004.\n\n\nDetermining an ERM Framework\n\nOrganizations with experience in ERM note that implementation is not without its\nchallenges. For example, some of the common challenges for insurance companies include a\nlack of tools for assessing, measuring, mitigating, and financing operational risks;\norganizational turf; processes; and time.10\n\nTo implement an ERM program, an organization needs to decide on a framework. There are\nno \xe2\x80\x9cright answers\xe2\x80\x9d for establishing a framework; however, organizations can develop four\nkey questions to help in establishing an ERM framework appropriate for the specific\nsituations and culture of the organization. These four key questions11 are as follows.\n\nQuestion 1: What are the objectives for ERM? Organizations can have several objectives,\nbut the priority they assign to each objective is important. Some objectives include:\n\n     \xe2\x80\xa2   Compliance - reacting to external guidance\n     \xe2\x80\xa2   Defense - anticipating problems\n     \xe2\x80\xa2   Coordination/integration \xe2\x80\x93 breaking down internal \xe2\x80\x9csilos\xe2\x80\x9d by coordinating risk\n         management activities for the sake of efficiency\n10\n   RiskValueInsights: Creating Value Through Enterprise Risk Management \xe2\x80\x93 A Practical Approach for the\nInsurance Industry, Tillinghast-Towers Perrin.\n11\n   Implementing Enterprise Risk Management: Getting the Fundamentals Right, Jerry Miccolis, Brinton Eaton\nAssociates, Inc., \xc2\xa9 International Risk Management Institute, June 2003.\n                                                    11\n\x0c   \xe2\x80\xa2   Exploiting opportunities and creating value \xe2\x80\x93 appreciating risk interaction across the\n       enterprise\n\nQuestion 2: What will be the scope of the ERM program? The following are examples of the\ntypes of risks that may be included in an ERM program:\n\n   \xe2\x80\xa2   Financial \xe2\x80\x93 interest rate, investment, credit, liquidity\n   \xe2\x80\xa2   Operational \xe2\x80\x93 technology, political, regulatory\n   \xe2\x80\xa2   Hazard \xe2\x80\x93 legal liability, property damage, natural catastrophe\n   \xe2\x80\xa2   Strategic \xe2\x80\x93 poor planning and poor execution\n\nAlso, management may desire that ERM influence processes such as:\n\n   \xe2\x80\xa2   Strategic planning\n   \xe2\x80\xa2   Capital management\n   \xe2\x80\xa2   Asset allocation\n   \xe2\x80\xa2   Performance measurement\n   \xe2\x80\xa2   Financial modeling\n\nThe scope of the risks and management processes need to be aligned and are likely to help\nthe organization achieve the ERM objectives determined in response to Question 1.\n\nQuestion 3: What kind of organizational structure, based on ERM, will work for the\norganization? To answer this question, consider the following:\n\n   \xe2\x80\xa2   The organizational components that will be involved in managing ERM and the\n       functions that will be integrated into the ERM program. Some organizations use\n       existing functions, while others create new functions such as a chief risk officer\n       (CRO) or ERM policy committee.\n\n   \xe2\x80\xa2   The anticipated responsibilities of the ERM. Will the function serve as a coordinating\n       body for the individual risk management activities or as an advisory body?\n\n   \xe2\x80\xa2   The management level to which the ERM function will report. A CRO may report to\n       either the Chief Executive Officer (CEO) or Chief Financial Officer (CFO), while an\n       ERM committee may report to the CEO.\n\n   \xe2\x80\xa2   The most important capabilities and competencies for the ERM function. The ERM\n       function\xe2\x80\x99s capabilities and competencies could include risk assessment, modeling,\n       financial engineering, communication, organizational management, and project\n       management.\n\n\n\n\n                                              12\n\x0cTable 6 shows examples of the risk infrastructure used by some major corporations.\n\nTable 6: Examples of Risk Infrastructures\n Company                                       Risk Infrastructure\n\n J.P. Morgan Chase                             Highly organized committee structure to\n                                               communicate and drive risk\n                                               management considerations into\n                                               operating decisions.\n E.I. du Pont de Nemours and Company           Risk management committee assists the\n                                               CEO in setting risk management\n                                               policies and guidelines. Committee\n                                               maintains close contact with business\n                                               units.\n Microsoft Corporation                         Driven by technology via Intranet and\n                                               ongoing personal communication of risk\n                                               management group with operating\n                                               management.\n United Grain Growers Limited                  Risk management committee\n [Merged with Agricore Cooperative Ltd. on     recommends policy and process: reports\n November 1, 2001]                             to audit committee on risk management\n                                               performance.\n Unocal Corporation                            Efforts of internal audit department and\n                                               health, environmental, and safety\n                                               department to promote enterprise-wide\n                                               risk management throughout operating\n                                               management.\n\nSource: Making Enterprise Risk Management Pay Off, How Leading Companies Implement Risk Management,\nThomas L. Barton, William G. Shenkir, and Paul L. Walker, \xc2\xa9 Prentice Hall, 2002.\n\nQuestion 4: What tools will the organization need to implement the ERM program? Some\npossible tools include:\n\n    \xe2\x80\xa2   Risk audit guides \xe2\x80\x93 for risk mapping of individual risks, risk assessment workshops,\n        and risk assessment interviews with management and staff.\n    \xe2\x80\xa2   Stochastic risk models \xe2\x80\x93 to simulate a specific system by developing cause-effect\n        relationships between all the variables of that system.\n    \xe2\x80\xa2   Risk monitoring reports \xe2\x80\x93 for managers, boards, and external stakeholders.\n\nWhen determining the type of tools to select, organizations should consider tools that fit the\nrisks and processes within the scope of the ERM program.\n\n\n\n\n                                                13\n\x0cLessons Learned From Others in Developing an ERM Framework\n\nAlthough no single ERM model fits all organizations, a study of how large companies were\nimplementing ERM identified some \xe2\x80\x9clessons learned\xe2\x80\x9d that could be used in the process of\ncustomizing an ERM framework. The study, sponsored by the Financial Executives\nResearch Foundation, reviewed five major companies, including J.P. Morgan Chase and\nMicrosoft Corporation, identified the following 18 lessons learned.12\n\nLesson 1\n\nOrganizations may have difficulty identifying a \xe2\x80\x9ccookbook recipe\xe2\x80\x9d for implementing ERM\nbecause developing an appropriate approach depends on the culture of the company and the\nagents leading the effort. Decision-makers need to make sure that risk management is a\ncritical part of their job, and they need to be aware of the risks facing other units and the\norganization as whole.\n\nLesson 2\n\nManaging risk effectively requires implementing a formal initiative to identify all significant\nrisks. Some possible risk identification methods include scenario analysis, self-assessments,\nbrainstorming sessions, and team meetings.\n\nLesson 3\n\nRisk identification should be dynamic and continuous because the business environment\ncontinually changes. The risk identification process involves identifying all risks and sorting\nthem by importance.\n\nLesson 4\n\nDetermining the importance, severity, or dollar amount of risks is important to the risk\nranking process. A risk ranking component helps management understand the perceived\nimportance of a risk, and by sorting the risks according to importance, management can\ndevelop a risk management strategy and allocate resources efficiently.\n\nLesson 5\n\n\xe2\x80\x9cRisks should be ranked on some scale of frequency or probability.\xe2\x80\x9d One company lists risks\nand rates them on probability, while another company assigns a frequency to each risk.\nTools such as risk lists help management develop a view of all the risks and those that are\nmost significant.\n\n\n\n12\n  Making Enterprise Risk Management Pay Off, How Leading Companies Implement Risk Management,\nThomas L. Barton, William G. Shenkir, and Paul L. Walker, \xc2\xa9 Prentice Hall, 2002.\n\n\n                                                14\n\x0cLesson 6\n\nFinancial risks should be measured with the most sophisticated and relevant tools available.\nRisk measurement helps ensure that the organization is not spending resources on the least\nrisky areas. Organizations face a challenge in this area because not all risks are measurable.\nFor example, operational risk management is in the early stages, so there may not be a lot of\nhistorical information to use as a baseline. Sharing best practices is a possible approach.\n\nLesson 7\n\n\xe2\x80\x9cDevelop sophisticated tools and measures that meet the organization\xe2\x80\x99s needs and that\nmanagement can easily understand.\xe2\x80\x9d The most developed area of risk measurement is the\nfinancial risk area. Various tools such as value at risk (VAR) are available to assist in\nmeasuring financial risk. VAR measures the worst expected loss over a given time period\nand was originally developed for use in financial institutions. Other methods include\nearnings at risk (EAR) and stress testing. EAR measures the impact of risks on earnings, and\nstress testing involves reviewing the impact of worst-case scenarios.\n\nLesson 8\n\nUnderstand the organization\xe2\x80\x99s risk appetite. Risk appetite concerns the amount of risk that\nthe company is willing to accept. Knowing the amount of risk the company is willing to\naccept and having a measure of how that risk affects areas such as earnings permit managers\nto understand the relationship between risk and achieving expectations.\n\nLesson 9\n\nThoroughly measure nonfinancial risks. As noted earlier, measuring operational risks is new\nand is not as advanced as measuring financial risks. Recognizing that operational risks are\nimportant, some companies are engaged in sharing best practices in this area and developing\nmetrics. Also, techniques used in measuring financial risks may be adopted for operational\nrisk measurement. Risk profiles and worst-case scenario possibilities are examples of\ntechniques that may be adapted to operational risk measurement.\n\nLesson 10\n\n\xe2\x80\x9cCompanies are choosing different combinations of acceptance, transfer, and mitigation13 to\nmanage risk.\xe2\x80\x9d The organization\xe2\x80\x99s willingness to accept risks may influence the approach to\nmanaging risks. For example, an organization can accept a risk if management determines\nthat the organization can bear the consequences or the risk has been mitigated or has been\ntransferred to a level that the company is willing to accept.\n\n\n\n\n13\n     An organization may build controls to mitigate a risk.\n                                                          15\n\x0cLesson 11\n\nReevaluate decisions regarding control, acceptance, and transfer of risk on a continuous\nbasis. Building control is a form of mitigating risks. Companies that identify risks evaluate\nthe controls to mitigate higher priority risks and implement continuous monitoring to detect\npotential problems.\n\nLesson 12\n\nIdentify original solutions and transfer risk where economic opportunities exist. Companies\nmay use a combination of acceptance, transfer, and mitigation strategies. Also, companies\nmay link risk management to employee incentives. This approach reinforces the importance\nof managing risk.\n\nLesson 13\n\nView risk management from an enterprise-wide perspective. An enterprise-wide view\npermits the entity to identify inconsistencies in the level of risks management was taking and\ndetermine whether a small group of risks have a major influence. In addition, opportunities\nfor savings may be identified.\n\nSome steps for integrating risk management into the organization\xe2\x80\x99s processes are identified\nin Table 7.\n\nTable 7: Steps for Integrating ERM\nStep     Action                                                  Methods\n1        Determine all significant risks.                        List risks, assess risks, map\n                                                                 risks\n2         Measure risk, and integrate best practices and         VAR, EAR, and stress\n          tools                                                  testing\n\n\n3         Conduct research throughout the organization           Search for\n                                                                    \xe2\x80\xa2 Inconsistencies\n                                                                    \xe2\x80\xa2 Natural offsets\n                                                                    \xe2\x80\xa2 Transfer/financing\n                                                                        opportunities\nSource: Making Enterprise Risk Management Pay Off, How Leading Companies Implement Risk Management,\nThomas L. Barton, William G. Shenkir, and Paul L. Walker, \xc2\xa9 Prentice Hall 2002.\n\n\n\n\n                                                16\n\x0cLesson 14\n\nPermit consultants to only supplement senior management involvement in the risk\nmanagement effort. Consultants are used to provide information on how other companies\nmanage specific risks and to provide data on incidents.\n\nLesson 15\n\nERM can offer more effective risk management than traditional approaches. Upon\ndeveloping the proper strategy, ERM enables organizations to control their risks with greater\nefficiency than traditional approaches involving organizational \xe2\x80\x9cturf\xe2\x80\x9d issues.\n\nLesson 16\n\n\xe2\x80\x9cMaking risk consideration a part of the decision-making process is an essential element to\nenterprise-wide risk management.\xe2\x80\x9d Companies link risk management and business strategy\nand use the Intranet to integrate risk management and everyday business management.\n\nLesson 17\n\nRisk management infrastructures are important for ensuring that decision-makers consider\nrisks. One approach is to use a committee structure to integrate risk management into\noperations. Other examples were discussed in Table 6.\n\nLesson 18\n\nThe commitment of champions at the senior management level is a prerequisite for\nimplementing ERM. ERM succeeds when senior management commits to the program.\nSenior management commitment is critical because the integration process requires a\nbalancing of various interests and skills.\n\nA Model ERM Framework\n\nTo provide some insights into a viable ERM framework, the Committee of Sponsoring\nOrganizations of the Treadway Commission (COSO) issued a draft ERM framework. The\nCOSO defines ERM as:\n\n       \xe2\x80\xa6 a process, effected by an entity\xe2\x80\x99s board of directors, management and other\n       personnel, applied in strategy setting and across the enterprise, designed to identify\n       potential events that may affect the entity, and manage risks to be within its risk\n       appetite, to provide reasonable assurance regarding the achievement of entity\n       objectives.\n\n\n\n\n                                              17\n\x0cIn effect, ERM reflects certain fundamental concepts. Specifically, ERM:\n    \xe2\x80\xa2 Is a process.\n    \xe2\x80\xa2 Is effected by people.\n    \xe2\x80\xa2 Is applied in a strategy setting.\n    \xe2\x80\xa2 Is applied across the enterprise.\n    \xe2\x80\xa2 Is designed to identify potential events and manage risk within a risk appetite.\n    \xe2\x80\xa2 Provides reasonable assurance.\n    \xe2\x80\xa2 Is geared to achieving objectives.\n\nA discussion on each of these concepts is provided in Appendix III.\n\nComponents of the COSO ERM Framework\n\nAccording to the COSO framework, ERM consists of eight interrelated components: internal\nenvironment, objective setting, event identification, risk assessment, risk response, control\nactivities, information and communication, and monitoring. These components are derived\nfrom the way management runs a business and are integrated with the management process.\nThe COSO draft ERM framework identifies the components as follows.\n\nInternal Environment\n\nThe internal environment is the foundation for all other components and influences how a\nstrategy and objectives are established. The board of directors is a critical component of the\ninternal environment and influences other elements such as the entity\xe2\x80\x99s ethical values,\ncompetence and development of personnel, and management\xe2\x80\x99s operating style. Also, as part\nof the internal environment, management establishes a risk management philosophy and\nintegrates risk management with related initiatives.\n\nObjective Setting\n\nManagement establishes strategic objectives within the context of an established mission or\nvision and establishes related objectives. ERM provides assurance that management has a\nprocess to set objectives consistent with the entity\xe2\x80\x99s risk appetite and align the objectives\nwith the entity\xe2\x80\x99s mission/vision.\n\nEvent Identification\n\nEvent identification involves considering external and internal factors that affect the\noccurrence of an event. External factors may include economic, business, natural\nenvironment, or political factors. Internal factors include issues such as infrastructure,\npersonnel, process, and technology. Potential events may be grouped into categories to assist\nmanagement in understanding their interrelationship. Risk is the possibility that an event will\noccur and adversely affect the achievement of objectives.\n\n\n\n\n                                              18\n\x0cRisk Assessment\n\nRisk assessment involves considering how potential events may impact the achievement of\nobjectives, and the risk assessment methodology may involve a combination of qualitative\nand quantitative techniques. Some examples include benchmarking and conducting\ninterviews and workshops. Determining the proper technique depends on factors such as the\nneed for precision and the culture of the business unit.\n\nRisk Response\n\nERM requires management to select a response that is expected to reduce risk to the entity\xe2\x80\x99s\nrisk tolerance level. Risk responses include risk avoidance, reduction, sharing, and\nacceptance. The COSO draft ERM framework explains these terms as follows:\n\n       Avoidance responses take action to exit the activities that give rise to the risks.\n       Reduction responses reduce the risk likelihood, impact, or both. Sharing responses\n       reduce risk likelihood or impact by transferring or otherwise sharing a portion of the\n       risk. Acceptance responses take no action to affect likelihood or impact. As part of\n       enterprise risk management, for each significant risk, an entity considers potential\n       responses from a range of response categories. This gives sufficient depth to\n       response selection and also challenges the \xe2\x80\x9cstatus quo.\xe2\x80\x9d\n\nControl Activities\n\nControl activities occur throughout the organization and are the policies and procedures that\nassist management in ensuring that risk responses are properly executed. The policies\nestablish what should be done, and the procedures effect the policy.\n\nInformation and Communication\n\nInformation from internal and external sources involves collecting information and\ncommunicating that data to personnel in a manner that enables them to conduct their\nresponsibilities. Communication is effective when it flows down, across, and up the\norganization. Communication can also occur with external parties such as customers and\nsuppliers.\n\nMonitoring\n\nMonitoring involves evaluating whether the ERM components are present and functioning.\nMonitoring also involves assessing the quality of components\xe2\x80\x99 performance over time.\nManagement can implement a monitoring program through ongoing activities or separate\nevaluations. Both methods help ensure that ERM is applied at all levels and across the\norganization.\n\n\n\n\n                                              19\n\x0cAssessing the Current State of Internal Control\n\nAnother area receiving increased attention as a result of the Sarbanes-Oxley Act is internal\ncontrol over financial reporting. An emerging practice that is being used to evaluate the\ncurrent state of an organization\xe2\x80\x99s internal control over financial reporting is the internal\ncontrol maturity framework.\n\nThe primary objective of the internal control maturity framework is to determine whether\nexisting or proposed controls for activities and processes adequately manage related risks and\nare documented to facilitate review. The hierarchy for categorizing the maturity levels of\ncontrols is provided in The Sarbanes-Oxley Act of 2002, Strategies for Meeting New Internal\nControl Reporting Challenges: A White Paper, PricewaterhouseCoopers, and is presented as\nfollows.\n\nLevel 1: Unreliable\n\n   \xe2\x80\xa2   Unpredictable environment in which controls are not designed or in place.\n\nLevel 2: Informal\n\n   \xe2\x80\xa2   Controls are designed and in place but are not adequately documented.\n   \xe2\x80\xa2   Controls are mostly dependent on people.\n   \xe2\x80\xa2   No formal training program is in place.\n   \xe2\x80\xa2   No formal training or communication of controls.\n\nLevel 3: Standardized\n\n   \xe2\x80\xa2   Controls are designed and in place.\n   \xe2\x80\xa2   Controls have been documented and communicated to employees.\n   \xe2\x80\xa2   Deviations from controls may not be detected.\n\nLevel 4: Monitored\n\n   \xe2\x80\xa2   Standardized controls with periodic testing for effective design and operation with\n       reporting to management.\n   \xe2\x80\xa2   Automation and tools may be used in a limited way to support controls.\n\n\n\n\n                                              20\n\x0cLevel 5: Optimized\n\n   \xe2\x80\xa2   An integrated internal control framework has been established with real-time\n       monitoring by management with continuous improvement (Enterprise-Wide Risk\n       Management).\n   \xe2\x80\xa2   Automation and tools are used to support controls and allow the organization to make\n       rapid changes to the controls if needed.\n\nThe maturity framework can assist CFOs in evaluating whether the level of maturity for a\ngiven control area is satisfactory or whether additional action is needed.\n\nSUMMARY\nIn light of the recent scandals that have caused the failure of several major corporations,\nreforms have been initiated by the Congress and regulatory organizations. Also, new\nstrategies have been developed to respond to these reforms and the public demand for\nimproved corporate governance and accountability. Federal agencies have the opportunity to\ndevelop sound corporate governance structures and lead by example. The FDIC is in a\nparticularly unique position because it already has key governance components. The\nCorporation has an audit committee, ERM program, and independent auditors. The\ninformation in this report is intended to assist the Corporation in reviewing current practices\nand programs and determining the need for enhancements.\n\nCORPORATION COMMENTS\n\nA written response was not required for the report. OERM advised the OIG that it had no\nofficial comments.\n\n\n\n\n                                              21\n\x0c                                                                            APPENDIX I\n\n                    OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of our research was to provide information that may be used in evaluating\napproaches for enhancing some key elements of the corporate governance framework \xe2\x80\x93 the\naudit committee, risk management, and internal control over financial reporting. To achieve\nour objective, we searched the following for best practices and information related to our\ntopic: the Internet, prior GAO reports, trade journals and magazines, private sector studies,\npronouncements from authoritative sources, and other resources issued within the last 2 years\nwith a particular focus on information pertaining to financial organizations. Also, we\nresearched recent case studies and information on the challenges other organizations faced\nand the lessons they learned when implementing an ERM program. Our work was conducted\nfrom June to July 2004 in accordance with generally accepted government auditing\nstandards.\n\n\n\n\n                                             22\n\x0c                                                                                            APPENDIX II\n\n\n                         AUDIT COMMITTEE SELF-EVALUATION TOOL\n              Adapted from Audit Committees: Good Practices for Meeting Market Expectations,\n                                   \xc2\xa9PricewaterhouseCoopers, July 2003\n\n\nSection No.                 Audit Committee Practice                       Practice Being     Action Item\n of Charter                                                                   Followed\n                                                                            (Yes/No/N/A)\n\n                Authority\n                Obtained board authority to perform activities within\n                the audit committee\xe2\x80\x99s terms of reference.\n\n                Has access to members of management, employees,\n                and relevant information, unless such access is\n                restricted by law.\n\n                Has authority to establish procedures to deal with\n                concerns of employees and complaints regarding\n                accounting, internal control, and auditing matters.\n\n                Membership\n                The board periodically reviews the mix of experience\n                and skills of committee members to maintain an\n                appropriate balance.\n\n                Committee members are appointed by the board or a\n                nominating committee of the board.\n\n                The size of the committee is appropriate to the\n                organization.\n\n                The experience and qualifications of committee\n                members are compatible with the duties of the\n                committee, including the ability to understand financial\n                statements. At least one of the members has\n                accounting or related financial expertise.\n\n\n                Meetings\n                The committee meets regularly, with special meetings\n                called as circumstances warrant. (At least three or four\n                meetings each year are desirable.)\n\n                Meeting agendas and supporting papers are prepared\n                and distributed sufficiently far enough in advance to\n                enable committee members to prepare for meetings.\n\n                Minutes of meetings are circulated on a timely basis to\n                members of the board and audit committee (and\n                auditors where appropriate).\n\n                The chairman or another member of the committee\n                attends the board meeting at which the financial\n                statements are approved.\n\n\n                                                         23\n\x0c                                                                                       APPENDIX II\n\n\nSection No.               Audit Committee Practice                    Practice Being     Action Item\n of Charter                                                              Followed\n                                                                       (Yes/No/N/A)\n\n\n              Members of the committee attend every meeting.\n\n              The committee meets with in-house legal counsel on a\n              regular basis.\n\n              New committee members are provided with sufficient\n              background, information, and training to meet their\n              responsibilities effectively.\n\n              The committee has adequate resources to discharge\n              its responsibilities.\n\n              Internal Control\n              Evaluates the \xe2\x80\x9ccontrol culture\xe2\x80\x9d established by\n              management.\n\n              Understands the control systems implemented by\n              management for approval of transactions, recording\n              of data, and compliance of the financial statements\n              with relevant standards and requirements.\n\n              Considers whether internal control recommendations\n              made by auditors have been implemented by\n              management.\n\n              Considers how management has reviewed the\n              adequacy of controls surrounding electronic data\n              processing and computer security.\n\n              Financial Reporting\n              Reviews the areas of greatest financial risk and\n              management\xe2\x80\x99s actions to address those areas.\n\n              Reviews significant accounting and reporting issues\n              and understands their likely impact on the financial\n              statements.\n\n              Oversees the periodic financial reporting process and\n              reviews the interim financial statements, annual\n              financial statements, and preliminary announcements\n              prior to their release.\n\n              Meets with management and external auditors to\n              review the financial statements and results of the\n              audit.\n\n\n              Ensures that significant adjustments, unadjusted\n              differences, disagreements with management,\n              and critical accounting policies have been discussed\n              with external auditor.\n\n              Considers whether the narrative information included\n              in the other sections of the annual report is\n\n\n                                                       24\n\x0c                                                                                         APPENDIX II\n\n\nSection No.               Audit Committee Practice                      Practice Being     Action Item\n of Charter                                                                Followed\n                                                                         (Yes/No/N/A)\n\n              understandable and consistent with the information in\n              the financial statements.\n\n              Reads the representation letters given by\n              management to the external auditors and considers\n              any specific representations therein.\n\n              Compliance with Laws and Regulations\n              Reviews management\xe2\x80\x99s procedures for monitoring the\n              organization\xe2\x80\x99s compliance with laws and regulations.\n\n              Reviews updates from management and legal counsel\n              regarding compliance matters that may affect\n              the financial statements.\n\n              Responsibilities Regarding Auditors\n              Discusses the auditors\xe2\x80\x99 proposed audit scope and\n              approach.\n\n              Discusses any audit problems, including restrictions on\n              the scope of the audit or denials of access to\n              requested information.\n\n              Reviews reports made by the auditors to management,\n              and ensures that management responds to these\n              findings.\n\n              Meets privately with auditors on a regular basis.\n\n              Discusses the extent to which audit and accounting\n              firms are used and understands the rationale for using\n              them.\n\n              The Committee\xe2\x80\x99s Reporting\n              Responsibilities\n              Reports committee activities to the board regularly.\n\n              Ensures that any reports required by law concerning\n              committee activities have been prepared.\n\n              Evaluating Performance\n\n              Periodically assesses the performance of individual\n              members and the committee as a whole.\n\n\n              Assesses the achievement of the duties specified in\n              the charter and reports to the board.\n\n\n              Charter\n              Reviews the committee charter annually, and\n              discusses any proposed changes with the board.\n\n\n\n                                                       25\n\x0c                                                                                   APPENDIX II\n\n\nSection No.              Audit Committee Practice                 Practice Being     Action Item\n of Charter                                                          Followed\n                                                                   (Yes/No/N/A)\n\n              Ensures the charter is approved/reapproved by the\n              board.\n\n\n\n\n                                                    26\n\x0c                                                                            APPENDIX III\n\n            EXCERPT FROM COSO EXPOSURE DRAFT: ENTERPRISE\n                     RISK MANAGEMENT FRAMEWORK\n\nA Process\n\nEnterprise risk management is not one event or circumstance, but a series of actions that\npermeate an entity's activities. These actions are pervasive and inherent in the way\nmanagement runs the business.\n\nEnterprise risk management is different from the perspective of some observers who view\nit as something added on to an entity's activities, or as a necessary burden. That is not to\nsay effective enterprise risk management does not require incremental effort. For\ninstance, risk assessment may require incremental effort to develop needed models and\nmake necessary analysis and calculations. However, these and other enterprise risk\nmanagement mechanisms are intertwined with an entity's operating activities and exist\nfor fundamental business reasons. Enterprise risk management is most effective when\nthese mechanisms are built into the entity's infrastructure and are part of the essence of\nthe enterprise. By building in enterprise risk management, an entity can directly affect its\nability to implement its strategy and achieve its vision or mission.\n\nBuilding in enterprise risk management also has important implications for cost\ncontainment, especially in the highly competitive marketplaces many companies face.\nAdding new procedures separate from existing ones adds costs. By focusing on existing\noperations and their contribution to effective enterprise risk management, and integrating\nrisk management into basic operating activities, an enterprise can avoid unnecessary\nprocedures and costs. And a practice of building enterprise risk management into the\nfabric of operations helps identify new opportunities for management to seize in growing\nthe business.\n\nEffected by People\nEnterprise risk management is effected by a board of directors, management and other\npersonnel. It is accomplished by the people of an organization, by what they do and say.\nPeople establish the entity's mission/vision, strategy and objectives and put enterprise risk\nmanagement mechanisms in place.\n\nSimilarly, enterprise risk management affects people's actions. Enterprise risk\nmanagement recognizes that people do not always understand, communicate or perform\nconsistently. Each individual brings to the workplace a unique background and technical\nability, and has different needs and priorities.\n\nThese realities affect, and are affected by, enterprise risk management. Each person has a\nunique point of reference which influences how they identify, assess and respond to risk.\nEnterprise risk management provides the mechanisms needed to help people understand\nrisk in the context of the entity\xe2\x80\x99s objectives. People must know their responsibilities and\n\n\n\n                                           27\n\x0c                                                                            APPENDIX III\n\nlimits of authority. Accordingly, a clear and close linkage needs to exist between\npeople's duties and the way in which they are carried out, as well as with the entity's\nstrategy and objectives.\n\nAn organization\xe2\x80\x99s people include the board of directors, as well as management and other\npersonnel. Although directors primarily provide oversight, they also provide direction\nand approve strategy and certain transactions and policies. As such, boards of directors\nare an important element of enterprise risk management.\n\nApplied in Setting Strategy\nAn entity sets out its mission or vision and establishes strategic objectives, which are the\nhigh-level goals that align with and support its vision or mission. An entity establishes a\nstrategy for achieving its strategic objectives. It also sets related objectives it wants to\nachieve, flowing from the strategy, cascading to business units, divisions and processes.\nIn setting strategy, management considers risks relative to alternative strategies.\n\nApplied Across the Enterprise\nTo successfully apply enterprise risk management, an entity must consider its entire\nscope of activities. Enterprise risk management considers activities at all levels of the\norganization, from enterprise-level activities such as strategic planning and resource\nallocation, to business unit activities such as marketing and human resources, to business\nprocesses such as production and new customer credit review. Enterprise risk\nmanagement also applies to special projects and new initiatives that might not yet have a\ndesignated place in the entity\xe2\x80\x99s hierarchy or organization chart.\n\nEnterprise risk management requires an entity to take a portfolio view of risk. This might\ninvolve each manager responsible for a business unit, function, process or other activity\ndeveloping an assessment of risk for the unit. The assessment may be quantitative or\nqualitative. With a composite view at each succeeding level of the organization, senior\nmanagement is positioned to make a determination whether the entity\xe2\x80\x99s overall risk\nprofile is commensurate with its risk appetite.\n\nManagement considers interrelated risks from an entity-level portfolio perspective.\nInterrelated risks need to be identified and acted upon to bring the entirety of risk within\nthe entity\xe2\x80\x99s risk appetite. Risks for individual units of the entity may be within the units\xe2\x80\x99\nrisk tolerances, but taken together may exceed the risk appetite of the entity as a whole.\nThe overall risk appetite is reflected downstream in an entity through risk tolerances\nestablished for specific objectives.\nRisk Appetite\nRisk appetite is the amount of risk an entity is willing to accept in pursuit of value.\nEntities often consider risk appetite qualitatively, with such categories as high, moderate\nor low, or they may take a quantitative approach, reflecting and balancing goals for\ngrowth, return and risk.\n\n                                            28\n\x0c                                                                              APPENDIX III\n\nRisk appetite is directly related to an entity\xe2\x80\x99s strategy. It is considered in strategy setting,\nwhere the desired return from a strategy should be aligned with the entity\xe2\x80\x99s risk appetite.\nDifferent strategies will expose the entity to different risks. Enterprise risk management,\napplied in a strategy setting, helps management select a strategy consistent with the\nentity\xe2\x80\x99s risk appetite.\n\nThe entity\xe2\x80\x99s risk appetite guides resource allocation. Management allocates resources\nacross business units with consideration of the entity\xe2\x80\x99s risk appetite and individual\nbusiness unit\xe2\x80\x99s strategy for generating a desired return on invested resources.\nManagement considers its risk appetite as it aligns its organization, people and processes,\nand designs infrastructure necessary to effectively respond to and monitor risks.\n\nRisk tolerances are the acceptable level of variation relative to the achievement of\nobjectives. In setting specific risk tolerances, management considers the relative\nimportance of the related objectives and aligns risk tolerances with its risk appetite.\nOperating within risk tolerances provides management greater assurance that the entity\nwill remain within its risk appetite and, in turn, provides a higher degree of comfort that\nthe entity will achieve its objectives.\n\nProvides Reasonable Assurance\n\nWell-designed and operated enterprise risk management can provide management and the\nboard of directors reasonable assurance regarding achievement of an entity's objectives.\nAs a result of enterprise risk management determined to be effective, in each of the\ncategories of entity objectives, the board of directors and management gain reasonable\nassurance that:\n\n    \xe2\x80\xa2   They understand the extent to which the entity\xe2\x80\x99s strategic objectives are being\n        achieved,\n    \xe2\x80\xa2   They understand the extent to which the entity's operations objectives are being\n        achieved,\n    \xe2\x80\xa2   The entity\xe2\x80\x99s reporting is reliable, and\n    \xe2\x80\xa2   Applicable laws and regulations are being complied with.\n\nReasonable assurance reflects the notion that uncertainty and risk relate to the future,\nwhich no one can predict with certainty. Limitations also result from the realities that\nhuman judgment in decision making can be faulty, decisions on risk responses and\nestablishing controls need to consider the relative costs and benefits, breakdowns can\noccur because of human failures such as simple errors or mistakes, controls can be\ncircumvented by collusion of two or more people, and management has the ability to\noverride enterprise risk management decisions. These limitations preclude a board and\nmanagement from having absolute assurance that objectives will be achieved.\n\n\n\n\n                                             29\n\x0c                                                                         APPENDIX III\n\nAchievement of Objectives\n\nEffective enterprise risk management can be expected to provide reasonable assurance of\nachieving objectives relating to the reliability of reporting and to compliance with laws\nand regulations. Achievement of those categories of objectives is within the entity\xe2\x80\x99s\ncontrol and depends on how well the entity\xe2\x80\x99s related activities are performed.\nHowever, achievement of strategic and operations objectives is not always within the\nentity's control. For these objectives, enterprise risk management can provide reasonable\nassurance only that management and the board, in its oversight role, are made aware, in a\ntimely manner, of the extent to which the entity is moving toward achievement of the\nobjectives.\n\n\n\n\n                                          30\n\x0c"